| T1001 | Data Obfuscation |
| T1001.001 | Junk Data |
| T1001.002 | Steganography |
| T1001.003 | Protocol or Service Impersonation |
| T1002 | Data Compressed |
| T1003 | OS Credential Dumping |
| T1003.001 | LSASS Memory |
| T1003.002 | Security Account Manager |
| T1003.003 | NTDS |
| T1003.004 | LSA Secrets |
| T1003.005 | Cached Domain Credentials |
| T1003.006 | DCSync |
| T1003.007 | Proc Filesystem |
| T1003.008 | /etc/passwd and /etc/shadow |
| T1004 | Winlogon Helper DLL |
| T1005 | Data from Local System |
| T1006 | Direct Volume Access |
| T1007 | System Service Discovery |
| T1008 | Fallback Channels |
| T1009 | Binary Padding |
| T1010 | Application Window Discovery |
| T1011 | Exfiltration Over Other Network Medium |
| T1011.001 | Exfiltration Over Bluetooth |
| T1012 | Query Registry |
| T1013 | Port Monitors |
| T1014 | Rootkit |
| T1015 | Accessibility Features |
| T1016 | System Network Configuration Discovery |
| T1016.001 | Internet Connection Discovery |
| T1016.002 | Wi-Fi Discovery |
| T1017 | Application Deployment Software |
| T1018 | Remote System Discovery |
| T1019 | System Firmware |
| T1020 | Automated Exfiltration |
| T1020.001 | Traffic Duplication |
| T1021 | Remote Services |
| T1021.001 | Remote Desktop Protocol |
| T1021.002 | SMB/Windows Admin Shares |
| T1021.003 | Distributed Component Object Model |
| T1021.004 | SSH |
| T1021.005 | VNC |
| T1021.006 | Windows Remote Management |
| T1021.007 | Cloud Services |
| T1021.008 | Direct Cloud VM Connections |
| T1022 | Data Encrypted |
| T1023 | Shortcut Modification |
| T1024 | Custom Cryptographic Protocol |
| T1025 | Data from Removable Media |
| T1026 | Multiband Communication |
| T1027 | Obfuscated Files or Information |
| T1027.001 | Binary Padding |
| T1027.002 | Software Packing |
| T1027.003 | Steganography |
| T1027.004 | Compile After Delivery |
| T1027.005 | Indicator Removal from Tools |
| T1027.006 | HTML Smuggling |
| T1027.007 | Dynamic API Resolution |
| T1027.008 | Stripped Payloads |
| T1027.009 | Embedded Payloads |
| T1027.010 | Command Obfuscation |
| T1027.011 | Fileless Storage |
| T1027.012 | LNK Icon Smuggling |
| T1027.013 | Encrypted/Encoded File |
| T1027.014 | Polymorphic Code |
| T1028 | Windows Remote Management |
| T1029 | Scheduled Transfer |
| T1030 | Data Transfer Size Limits |
| T1031 | Modify Existing Service |
| T1032 | Standard Cryptographic Protocol |
| T1033 | System Owner/User Discovery |
| T1034 | Path Interception |
| T1035 | Service Execution |
| T1036 | Masquerading |
| T1036.001 | Invalid Code Signature |
| T1036.002 | Right-to-Left Override |
| T1036.003 | Rename System Utilities |
| T1036.004 | Masquerade Task or Service |
| T1036.005 | Match Legitimate Name or Location |
| T1036.006 | Space after Filename |
| T1036.007 | Double File Extension |
| T1036.008 | Masquerade File Type |
| T1036.009 | Break Process Trees |
| T1036.010 | Masquerade Account Name |
| T1037 | Boot or Logon Initialization Scripts |
| T1037.001 | Logon Script (Windows) |
| T1037.002 | Login Hook |
| T1037.003 | Network Logon Script |
| T1037.004 | RC Scripts |
| T1037.005 | Startup Items |
| T1038 | DLL Search Order Hijacking |
| T1039 | Data from Network Shared Drive |
| T1040 | Network Sniffing |
| T1041 | Exfiltration Over C2 Channel |
| T1042 | Change Default File Association |
| T1043 | Commonly Used Port |
| T1044 | File System Permissions Weakness |
| T1045 | Software Packing |
| T1046 | Network Service Discovery |
| T1047 | Windows Management Instrumentation |
| T1048 | Exfiltration Over Alternative Protocol |
| T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
| T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
| T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol |
| T1049 | System Network Connections Discovery |
| T1050 | New Service |
| T1051 | Shared Webroot |
| T1052 | Exfiltration Over Physical Medium |
| T1052.001 | Exfiltration over USB |
| T1053 | Scheduled Task/Job |
| T1053.001 | At (Linux) Execution |
| T1053.002 | At |
| T1053.003 | Cron |
| T1053.004 | Launchd |
| T1053.005 | Scheduled Task |
| T1053.006 | Systemd Timers |
| T1053.007 | Container Orchestration Job |
| T1054 | Indicator Blocking |
| T1055 | Process Injection |
| T1055.001 | Dynamic-link Library Injection |
| T1055.002 | Portable Executable Injection |
| T1055.003 | Thread Execution Hijacking |
| T1055.004 | Asynchronous Procedure Call |
| T1055.005 | Thread Local Storage |
| T1055.008 | Ptrace System Calls |
| T1055.009 | Proc Memory |
| T1055.011 | Extra Window Memory Injection |
| T1055.012 | Process Hollowing |
| T1055.013 | Process Doppelgänging |
| T1055.014 | VDSO Hijacking |
| T1055.015 | ListPlanting |
| T1056 | Input Capture |
| T1056.001 | Keylogging |
| T1056.002 | GUI Input Capture |
| T1056.003 | Web Portal Capture |
| T1056.004 | Credential API Hooking |
| T1057 | Process Discovery |
| T1058 | Service Registry Permissions Weakness |
| T1059 | Command and Scripting Interpreter |
| T1059.001 | PowerShell |
| T1059.002 | AppleScript |
| T1059.003 | Windows Command Shell |
| T1059.004 | Unix Shell |
| T1059.005 | Visual Basic |
| T1059.006 | Python |
| T1059.007 | JavaScript |
| T1059.008 | Network Device CLI |
| T1059.009 | Cloud API |
| T1059.010 | AutoHotKey & AutoIT |
| T1059.011 | Lua |
| T1060 | Registry Run Keys / Startup Folder |
| T1061 | Graphical User Interface |
| T1062 | Hypervisor |
| T1063 | Security Software Discovery |
| T1064 | Scripting |
| T1065 | Uncommonly Used Port |
| T1066 | Indicator Removal from Tools |
| T1067 | Bootkit |
| T1068 | Exploitation for Privilege Escalation |
| T1069 | Permission Groups Discovery |
| T1069.001 | Local Groups |
| T1069.002 | Domain Groups |
| T1069.003 | Cloud Groups |
| T1070 | Indicator Removal |
| T1070.001 | Clear Windows Event Logs |
| T1070.002 | Clear Linux or Mac System Logs |
| T1070.003 | Clear Command History |
| T1070.004 | File Deletion |
| T1070.005 | Network Share Connection Removal |
| T1070.006 | Timestomp |
| T1070.007 | Clear Network Connection History and Configurations |
| T1070.008 | Clear Mailbox Data |
| T1070.009 | Clear Persistence |
| T1070.010 | Relocate Malware |
| T1071 | Application Layer Protocol |
| T1071.001 | Web Protocols |
| T1071.002 | File Transfer Protocols |
| T1071.003 | Mail Protocols |
| T1071.004 | DNS |
| T1071.005 | Publish/Subscribe Protocols |
| T1072 | Software Deployment Tools |
| T1073 | DLL Side-Loading |
| T1074 | Data Staged |
| T1074.001 | Local Data Staging |
| T1074.002 | Remote Data Staging |
| T1075 | Pass the Hash |
| T1076 | Remote Desktop Protocol |
| T1077 | Windows Admin Shares |
| T1078 | Valid Accounts |
| T1078.001 | Default Accounts |
| T1078.002 | Domain Accounts |
| T1078.003 | Local Accounts |
| T1078.004 | Cloud Accounts |
| T1079 | Multilayer Encryption |
| T1080 | Taint Shared Content |
| T1081 | Credentials in Files |
| T1082 | System Information Discovery |
| T1083 | File and Directory Discovery |
| T1084 | Windows Management Instrumentation Event Subscription |
| T1085 | Rundll32 |
| T1086 | PowerShell |
| T1087 | Account Discovery |
| T1087.001 | Local Account |
| T1087.002 | Domain Account |
| T1087.003 | Email Account |
| T1087.004 | Cloud Account |
| T1088 | Bypass User Account Control |
| T1089 | Disabling Security Tools |
| T1090 | Proxy |
| T1090.001 | Internal Proxy |
| T1090.002 | External Proxy |
| T1090.003 | Multi-hop Proxy |
| T1090.004 | Domain Fronting |
| T1091 | Replication Through Removable Media |
| T1092 | Communication Through Removable Media |
| T1093 | Process Hollowing |
| T1094 | Custom Command and Control Protocol |
| T1095 | Non-Application Layer Protocol |
| T1096 | NTFS File Attributes |
| T1097 | Pass the Ticket |
| T1098 | Account Manipulation |
| T1098.001 | Additional Cloud Credentials |
| T1098.002 | Additional Email Delegate Permissions |
| T1098.003 | Additional Cloud Roles |
| T1098.004 | SSH Authorized Keys |
| T1098.005 | Device Registration |
| T1098.006 | Additional Container Cluster Roles |
| T1098.007 | Additional Local or Domain Groups |
| T1099 | Timestomp |
| T1100 | Web Shell |
| T1101 | Security Support Provider |
| T1102 | Web Service |
| T1102.001 | Dead Drop Resolver |
| T1102.002 | Bidirectional Communication |
| T1102.003 | One-Way Communication |
| T1103 | AppInit DLLs |
| T1104 | Multi-Stage Channels |
| T1105 | Ingress Tool Transfer |
| T1106 | Native API |
| T1107 | File Deletion |
| T1108 | Redundant Access |
| T1109 | Component Firmware |
| T1110 | Brute Force |
| T1110.001 | Password Guessing |
| T1110.002 | Password Cracking |
| T1110.003 | Password Spraying |
| T1110.004 | Credential Stuffing |
| T1111 | Multi-Factor Authentication Interception |
| T1112 | Modify Registry |
| T1113 | Screen Capture |
| T1114 | Email Collection |
| T1114.001 | Local Email Collection |
| T1114.002 | Remote Email Collection |
| T1114.003 | Email Forwarding Rule |
| T1115 | Clipboard Data |
| T1116 | Code Signing |
| T1117 | Regsvr32 |
| T1118 | InstallUtil |
| T1119 | Automated Collection |
| T1120 | Peripheral Device Discovery |
| T1121 | Regsvcs/Regasm |
| T1122 | Component Object Model Hijacking |
| T1123 | Audio Capture |
| T1124 | System Time Discovery |
| T1125 | Video Capture |
| T1126 | Network Share Connection Removal |
| T1127 | Trusted Developer Utilities Proxy Execution |
| T1127.001 | MSBuild |
| T1127.002 | ClickOnce |
| T1128 | Netsh Helper DLL |
| T1129 | Shared Modules |
| T1130 | Install Root Certificate |
| T1131 | Authentication Package |
| T1132 | Data Encoding |
| T1132.001 | Standard Encoding |
| T1132.002 | Non-Standard Encoding |
| T1133 | External Remote Services |
| T1134 | Access Token Manipulation |
| T1134.001 | Token Impersonation/Theft |
| T1134.002 | Create Process with Token |
| T1134.003 | Make and Impersonate Token |
| T1134.004 | Parent PID Spoofing |
| T1134.005 | SID-History Injection |
| T1135 | Network Share Discovery |
| T1136 | Create Account |
| T1136.001 | Local Account |
| T1136.002 | Domain Account |
| T1136.003 | Cloud Account |
| T1137 | Office Application Startup |
| T1137.001 | Office Template Macros |
| T1137.002 | Office Test |
| T1137.003 | Outlook Forms |
| T1137.004 | Outlook Home Page |
| T1137.005 | Outlook Rules |
| T1137.006 | Add-ins |
| T1138 | Application Shimming |
| T1139 | Bash History |
| T1140 | Deobfuscate/Decode Files or Information |
| T1141 | Input Prompt |
| T1142 | Keychain |
| T1143 | Hidden Window |
| T1144 | Gatekeeper Bypass |
| T1145 | Private Keys |
| T1146 | Clear Command History |
| T1147 | Hidden Users |
| T1148 | HISTCONTROL |
| T1149 | LC_MAIN Hijacking |
| T1150 | Plist Modification |
| T1151 | Space after Filename |
| T1152 | Launchctl |
| T1153 | Source |
| T1154 | Trap |
| T1155 | AppleScript |
| T1156 | Malicious Shell Modification |
| T1157 | Dylib Hijacking |
| T1158 | Hidden Files and Directories |
| T1159 | Launch Agent |
| T1160 | Launch Daemon |
| T1161 | LC_LOAD_DYLIB Addition |
| T1162 | Login Item |
| T1163 | Rc.common |
| T1164 | Re-opened Applications |
| T1165 | Startup Items |
| T1166 | Setuid and Setgid |
| T1167 | Securityd Memory |
| T1168 | Local Job Scheduling |
| T1169 | Sudo |
| T1170 | Mshta |
| T1171 | LLMNR/NBT-NS Poisoning and Relay |
| T1172 | Domain Fronting |
| T1173 | Dynamic Data Exchange |
| T1174 | Password Filter DLL |
| T1175 | Component Object Model and Distributed COM |
| T1176 | Browser Extensions |
| T1177 | LSASS Driver |
| T1178 | SID-History Injection |
| T1179 | Hooking |
| T1180 | Screensaver |
| T1181 | Extra Window Memory Injection |
| T1182 | AppCert DLLs |
| T1183 | Image File Execution Options Injection |
| T1184 | SSH Hijacking |
| T1185 | Browser Session Hijacking |
| T1186 | Process Doppelgänging |
| T1187 | Forced Authentication |
| T1188 | Multi-hop Proxy |
| T1189 | Drive-by Compromise |
| T1190 | Exploit Public-Facing Application |
| T1191 | CMSTP |
| T1192 | Spearphishing Link |
| T1193 | Spearphishing Attachment |
| T1194 | Spearphishing via Service |
| T1195 | Supply Chain Compromise |
| T1195.001 | Compromise Software Dependencies and Development Tools |
| T1195.002 | Compromise Software Supply Chain |
| T1195.003 | Compromise Hardware Supply Chain |
| T1196 | Control Panel Items |
| T1197 | BITS Jobs |
| T1198 | SIP and Trust Provider Hijacking |
| T1199 | Trusted Relationship |
| T1200 | Hardware Additions |
| T1201 | Password Policy Discovery |
| T1202 | Indirect Command Execution |
| T1203 | Exploitation for Client Execution |
| T1204 | User Execution |
| T1204.001 | Malicious Link |
| T1204.002 | Malicious File |
| T1204.003 | Malicious Image |
| T1205 | Traffic Signaling |
| T1205.001 | Port Knocking |
| T1205.002 | Socket Filters |
| T1206 | Sudo Caching |
| T1207 | Rogue Domain Controller |
| T1208 | Kerberoasting |
| T1209 | Time Providers |
| T1210 | Exploitation of Remote Services |
| T1211 | Exploitation for Defense Evasion |
| T1212 | Exploitation for Credential Access |
| T1213 | Data from Information Repositories |
| T1213.001 | Confluence |
| T1213.002 | Sharepoint |
| T1213.003 | Code Repositories |
| T1213.004 | Customer Relationship Management Software |
| T1213.005 | Messaging Applications |
| T1214 | Credentials in Registry |
| T1215 | Kernel Modules and Extensions |
| T1216 | System Script Proxy Execution |
| T1216.001 | PubPrn |
| T1216.002 | SyncAppvPublishingServer |
| T1217 | Browser Information Discovery |
| T1218 | System Binary Proxy Execution |
| T1218.001 | Compiled HTML File |
| T1218.002 | Control Panel |
| T1218.003 | CMSTP |
| T1218.004 | InstallUtil |
| T1218.005 | Mshta |
| T1218.007 | Msiexec |
| T1218.008 | Odbcconf |
| T1218.009 | Regsvcs/Regasm |
| T1218.010 | Regsvr32 |
| T1218.011 | Rundll32 |
| T1218.012 | Verclsid |
| T1218.013 | Mavinject |
| T1218.014 | MMC |
| T1218.015 | Electron Applications |
| T1219 | Remote Access Software |
| T1220 | XSL Script Processing |
| T1221 | Template Injection |
| T1222 | File and Directory Permissions Modification |
| T1222.001 | Windows File and Directory Permissions Modification |
| T1222.002 | Linux and Mac File and Directory Permissions Modification |
| T1223 | Compiled HTML File |
| T1480 | Execution Guardrails |
| T1480.001 | Environmental Keying |
| T1480.002 | Mutual Exclusion |
| T1482 | Domain Trust Discovery |
| T1483 | Domain Generation Algorithms |
| T1484 | Domain or Tenant Policy Modification |
| T1484.001 | Group Policy Modification |
| T1484.002 | Trust Modification |
| T1485 | Data Destruction |
| T1485.001 | Lifecycle-Triggered Deletion |
| T1486 | Data Encrypted for Impact |
| T1487 | Disk Structure Wipe |
| T1488 | Disk Content Wipe |
| T1489 | Service Stop |
| T1490 | Inhibit System Recovery |
| T1491 | Defacement |
| T1491.001 | Internal Defacement |
| T1491.002 | External Defacement |
| T1492 | Stored Data Manipulation |
| T1493 | Transmitted Data Manipulation |
| T1494 | Runtime Data Manipulation |
| T1495 | Firmware Corruption |
| T1496 | Resource Hijacking |
| T1496.001 | Compute Hijacking |
| T1496.002 | Bandwidth Hijacking |
| T1496.003 | SMS Pumping |
| T1496.004 | Cloud Service Hijacking |
| T1497 | Virtualization/Sandbox Evasion |
| T1497.001 | System Checks |
| T1497.002 | User Activity Based Checks |
| T1497.003 | Time Based Evasion |
| T1498 | Network Denial of Service |
| T1498.001 | Direct Network Flood |
| T1498.002 | Reflection Amplification |
| T1499 | Endpoint Denial of Service |
| T1499.001 | OS Exhaustion Flood |
| T1499.002 | Service Exhaustion Flood |
| T1499.003 | Application Exhaustion Flood |
| T1499.004 | Application or System Exploitation |
| T1500 | Compile After Delivery |
| T1501 | Systemd Service |
| T1502 | Parent PID Spoofing |
| T1503 | Credentials from Web Browsers |
| T1504 | PowerShell Profile |
| T1505 | Server Software Component |
| T1505.001 | SQL Stored Procedures |
| T1505.002 | Transport Agent |
| T1505.003 | Web Shell |
| T1505.004 | IIS Components |
| T1505.005 | Terminal Services DLL |
| T1506 | Web Session Cookie |
| T1514 | Elevated Execution with Prompt |
| T1518 | Software Discovery |
| T1518.001 | Security Software Discovery |
| T1519 | Emond |
| T1522 | Cloud Instance Metadata API |
| T1525 | Implant Internal Image |
| T1526 | Cloud Service Discovery |
| T1527 | Application Access Token |
| T1528 | Steal Application Access Token |
| T1529 | System Shutdown/Reboot |
| T1530 | Data from Cloud Storage |
| T1531 | Account Access Removal |
| T1534 | Internal Spearphishing |
| T1535 | Unused/Unsupported Cloud Regions |
| T1536 | Revert Cloud Instance |
| T1537 | Transfer Data to Cloud Account |
| T1538 | Cloud Service Dashboard |
| T1539 | Steal Web Session Cookie |
| T1542 | Pre-OS Boot |
| T1542.001 | System Firmware |
| T1542.002 | Component Firmware |
| T1542.003 | Bootkit |
| T1542.004 | ROMMONkit |
| T1542.005 | TFTP Boot |
| T1543 | Create or Modify System Process |
| T1543.001 | Launch Agent |
| T1543.002 | Systemd Service |
| T1543.003 | Windows Service |
| T1543.004 | Launch Daemon |
| T1543.005 | Container Service |
| T1546 | Event Triggered Execution |
| T1546.001 | Change Default File Association |
| T1546.002 | Screensaver |
| T1546.003 | Windows Management Instrumentation Event Subscription |
| T1546.004 | Unix Shell Configuration Modification |
| T1546.005 | Trap |
| T1546.006 | LC_LOAD_DYLIB Addition |
| T1546.007 | Netsh Helper DLL |
| T1546.008 | Accessibility Features |
| T1546.009 | AppCert DLLs |
| T1546.010 | AppInit DLLs |
| T1546.011 | Application Shimming |
| T1546.012 | Image File Execution Options Injection |
| T1546.013 | PowerShell Profile |
| T1546.014 | Emond |
| T1546.015 | Component Object Model Hijacking |
| T1546.016 | Installer Packages |
| T1546.017 | Udev Rules |
| T1547 | Boot or Logon Autostart Execution |
| T1547.001 | Registry Run Keys / Startup Folder |
| T1547.002 | Authentication Package |
| T1547.003 | Time Providers |
| T1547.004 | Winlogon Helper DLL |
| T1547.005 | Security Support Provider |
| T1547.006 | Kernel Modules and Extensions |
| T1547.007 | Re-opened Applications |
| T1547.008 | LSASS Driver |
| T1547.009 | Shortcut Modification |
| T1547.010 | Port Monitors |
| T1547.011 | Plist Modification |
| T1547.012 | Print Processors |
| T1547.013 | XDG Autostart Entries |
| T1547.014 | Active Setup |
| T1547.015 | Login Items |
| T1548 | Abuse Elevation Control Mechanism |
| T1548.001 | Setuid and Setgid |
| T1548.002 | Bypass User Account Control |
| T1548.003 | Sudo and Sudo Caching |
| T1548.004 | Elevated Execution with Prompt |
| T1548.005 | Temporary Elevated Cloud Access |
| T1548.006 | TCC Manipulation |
| T1550 | Use Alternate Authentication Material |
| T1550.001 | Application Access Token |
| T1550.002 | Pass the Hash |
| T1550.003 | Pass the Ticket |
| T1550.004 | Web Session Cookie |
| T1552 | Unsecured Credentials |
| T1552.001 | Credentials In Files |
| T1552.002 | Credentials in Registry |
| T1552.003 | Bash History |
| T1552.004 | Private Keys |
| T1552.005 | Cloud Instance Metadata API |
| T1552.006 | Group Policy Preferences |
| T1552.007 | Container API |
| T1552.008 | Chat Messages |
| T1553 | Subvert Trust Controls |
| T1553.001 | Gatekeeper Bypass |
| T1553.002 | Code Signing |
| T1553.003 | SIP and Trust Provider Hijacking |
| T1553.004 | Install Root Certificate |
| T1553.005 | Mark-of-the-Web Bypass |
| T1553.006 | Code Signing Policy Modification |
| T1554 | Compromise Host Software Binary |
| T1555 | Credentials from Password Stores |
| T1555.001 | Keychain |
| T1555.002 | Securityd Memory |
| T1555.003 | Credentials from Web Browsers |
| T1555.004 | Windows Credential Manager |
| T1555.005 | Password Managers |
| T1555.006 | Cloud Secrets Management Stores |
| T1556 | Modify Authentication Process |
| T1556.001 | Domain Controller Authentication |
| T1556.002 | Password Filter DLL |
| T1556.003 | Pluggable Authentication Modules |
| T1556.004 | Network Device Authentication |
| T1556.005 | Reversible Encryption |
| T1556.006 | Multi-Factor Authentication |
| T1556.007 | Hybrid Identity |
| T1556.008 | Network Provider DLL |
| T1556.009 | Conditional Access Policies |
| T1557 | Adversary-in-the-Middle |
| T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay |
| T1557.002 | ARP Cache Poisoning |
| T1557.003 | DHCP Spoofing |
| T1557.004 | Evil Twin |
| T1558 | Steal or Forge Kerberos Tickets |
| T1558.001 | Golden Ticket |
| T1558.002 | Silver Ticket |
| T1558.003 | Kerberoasting |
| T1558.004 | AS-REP Roasting |
| T1558.005 | Ccache Files |
| T1559 | Inter-Process Communication |
| T1559.001 | Component Object Model |
| T1559.002 | Dynamic Data Exchange |
| T1559.003 | XPC Services |
| T1560 | Archive Collected Data |
| T1560.001 | Archive via Utility |
| T1560.002 | Archive via Library |
| T1560.003 | Archive via Custom Method |
| T1561 | Disk Wipe |
| T1561.001 | Disk Content Wipe |
| T1561.002 | Disk Structure Wipe |
| T1562 | Impair Defenses |
| T1562.001 | Disable or Modify Tools |
| T1562.002 | Disable Windows Event Logging |
| T1562.003 | Impair Command History Logging |
| T1562.004 | Disable or Modify System Firewall |
| T1562.006 | Indicator Blocking |
| T1562.007 | Disable or Modify Cloud Firewall |
| T1562.008 | Disable or Modify Cloud Logs |
| T1562.009 | Safe Mode Boot |
| T1562.010 | Downgrade Attack |
| T1562.011 | Spoof Security Alerting |
| T1562.012 | Disable or Modify Linux Audit System |
| T1563 | Remote Service Session Hijacking |
| T1563.001 | SSH Hijacking |
| T1563.002 | RDP Hijacking |
| T1564 | Hide Artifacts |
| T1564.001 | Hidden Files and Directories |
| T1564.002 | Hidden Users |
| T1564.003 | Hidden Window |
| T1564.004 | NTFS File Attributes |
| T1564.005 | Hidden File System |
| T1564.006 | Run Virtual Instance |
| T1564.007 | VBA Stomping |
| T1564.008 | Email Hiding Rules |
| T1564.009 | Resource Forking |
| T1564.010 | Process Argument Spoofing |
| T1564.011 | Ignore Process Interrupts |
| T1564.012 | File/Path Exclusions |
| T1565 | Data Manipulation |
| T1565.001 | Stored Data Manipulation |
| T1565.002 | Transmitted Data Manipulation |
| T1565.003 | Runtime Data Manipulation |
| T1566 | Phishing |
| T1566.001 | Spearphishing Attachment |
| T1566.002 | Spearphishing Link |
| T1566.003 | Spearphishing via Service |
| T1566.004 | Spearphishing Voice |
| T1567 | Exfiltration Over Web Service |
| T1567.001 | Exfiltration to Code Repository |
| T1567.002 | Exfiltration to Cloud Storage |
| T1567.003 | Exfiltration to Text Storage Sites |
| T1567.004 | Exfiltration Over Webhook |
| T1568 | Dynamic Resolution |
| T1568.001 | Fast Flux DNS |
| T1568.002 | Domain Generation Algorithms |
| T1568.003 | DNS Calculation |
| T1569 | System Services |
| T1569.001 | Launchctl |
| T1569.002 | Service Execution |
| T1570 | Lateral Tool Transfer |
| T1571 | Non-Standard Port |
| T1572 | Protocol Tunneling |
| T1573 | Encrypted Channel |
| T1573.001 | Symmetric Cryptography |
| T1573.002 | Asymmetric Cryptography |
| T1574 | Hijack Execution Flow |
| T1574.001 | DLL Search Order Hijacking |
| T1574.002 | DLL Side-Loading |
| T1574.004 | Dylib Hijacking |
| T1574.005 | Executable Installer File Permissions Weakness |
| T1574.006 | Dynamic Linker Hijacking |
| T1574.007 | Path Interception by PATH Environment Variable |
| T1574.008 | Path Interception by Search Order Hijacking |
| T1574.009 | Path Interception by Unquoted Path |
| T1574.010 | Services File Permissions Weakness |
| T1574.011 | Services Registry Permissions Weakness |
| T1574.012 | COR_PROFILER |
| T1574.013 | KernelCallbackTable |
| T1574.014 | AppDomainManager |
| T1578 | Modify Cloud Compute Infrastructure |
| T1578.001 | Create Snapshot |
| T1578.002 | Create Cloud Instance |
| T1578.003 | Delete Cloud Instance |
| T1578.004 | Revert Cloud Instance |
| T1578.005 | Modify Cloud Compute Configurations |
| T1580 | Cloud Infrastructure Discovery |
| T1583 | Acquire Infrastructure |
| T1583.001 | Domains |
| T1583.002 | DNS Server |
| T1583.003 | Virtual Private Server |
| T1583.004 | Server |
| T1583.005 | Botnet |
| T1583.006 | Web Services |
| T1583.007 | Serverless |
| T1583.008 | Malvertising |
| T1584 | Compromise Infrastructure |
| T1584.001 | Domains |
| T1584.002 | DNS Server |
| T1584.003 | Virtual Private Server |
| T1584.004 | Server |
| T1584.005 | Botnet |
| T1584.006 | Web Services |
| T1584.007 | Serverless |
| T1584.008 | Network Devices |
| T1585 | Establish Accounts |
| T1585.001 | Social Media Accounts |
| T1585.002 | Email Accounts |
| T1585.003 | Cloud Accounts |
| T1586 | Compromise Accounts |
| T1586.001 | Social Media Accounts |
| T1586.002 | Email Accounts |
| T1586.003 | Cloud Accounts |
| T1587 | Develop Capabilities |
| T1587.001 | Malware |
| T1587.002 | Code Signing Certificates |
| T1587.003 | Digital Certificates |
| T1587.004 | Exploits |
| T1588 | Obtain Capabilities |
| T1588.001 | Malware |
| T1588.002 | Tool |
| T1588.003 | Code Signing Certificates |
| T1588.004 | Digital Certificates |
| T1588.005 | Exploits |
| T1588.006 | Vulnerabilities |
| T1588.007 | Artificial Intelligence |
| T1589 | Gather Victim Identity Information |
| T1589.001 | Credentials |
| T1589.002 | Email Addresses |
| T1589.003 | Employee Names |
| T1590 | Gather Victim Network Information |
| T1590.001 | Domain Properties |
| T1590.002 | DNS |
| T1590.003 | Network Trust Dependencies |
| T1590.004 | Network Topology |
| T1590.005 | IP Addresses |
| T1590.006 | Network Security Appliances |
| T1591 | Gather Victim Org Information |
| T1591.001 | Determine Physical Locations |
| T1591.002 | Business Relationships |
| T1591.003 | Identify Business Tempo |
| T1591.004 | Identify Roles |
| T1592 | Gather Victim Host Information |
| T1592.001 | Hardware |
| T1592.002 | Software |
| T1592.003 | Firmware |
| T1592.004 | Client Configurations |
| T1593 | Search Open Websites/Domains |
| T1593.001 | Social Media |
| T1593.002 | Search Engines |
| T1593.003 | Code Repositories |
| T1594 | Search Victim-Owned Websites |
| T1595 | Active Scanning |
| T1595.001 | Scanning IP Blocks |
| T1595.002 | Vulnerability Scanning |
| T1595.003 | Wordlist Scanning |
| T1596 | Search Open Technical Databases |
| T1596.001 | DNS/Passive DNS |
| T1596.002 | WHOIS |
| T1596.003 | Digital Certificates |
| T1596.004 | CDNs |
| T1596.005 | Scan Databases |
| T1597 | Search Closed Sources |
| T1597.001 | Threat Intel Vendors |
| T1597.002 | Purchase Technical Data |
| T1598 | Phishing for Information |
| T1598.001 | Spearphishing Service |
| T1598.002 | Spearphishing Attachment |
| T1598.003 | Spearphishing Link |
| T1598.004 | Spearphishing Voice |
| T1599 | Network Boundary Bridging |
| T1599.001 | Network Address Translation Traversal |
| T1600 | Weaken Encryption |
| T1600.001 | Reduce Key Space |
| T1600.002 | Disable Crypto Hardware |
| T1601 | Modify System Image |
| T1601.001 | Patch System Image |
| T1601.002 | Downgrade System Image |
| T1602 | Data from Configuration Repository |
| T1602.001 | SNMP (MIB Dump) |
| T1602.002 | Network Device Configuration Dump |
| T1606 | Forge Web Credentials |
| T1606.001 | Web Cookies |
| T1606.002 | SAML Tokens |
| T1608 | Stage Capabilities |
| T1608.001 | Upload Malware |
| T1608.002 | Upload Tool |
| T1608.003 | Install Digital Certificate |
| T1608.004 | Drive-by Target |
| T1608.005 | Link Target |
| T1608.006 | SEO Poisoning |
| T1609 | Container Administration Command |
| T1610 | Deploy Container |
| T1611 | Escape to Host |
| T1612 | Build Image on Host |
| T1613 | Container and Resource Discovery |
| T1614 | System Location Discovery |
| T1614.001 | System Language Discovery |
| T1615 | Group Policy Discovery |
| T1619 | Cloud Storage Object Discovery |
| T1620 | Reflective Code Loading |
| T1621 | Multi-Factor Authentication Request Generation |
| T1622 | Debugger Evasion |
| T1647 | Plist File Modification |
| T1648 | Serverless Execution |
| T1649 | Steal or Forge Authentication Certificates |
| T1650 | Acquire Access |
| T1651 | Cloud Administration Command |
| T1652 | Device Driver Discovery |
| T1653 | Power Settings |
| T1654 | Log Enumeration |
| T1656 | Impersonation |
| T1657 | Financial Theft |
| T1659 | Content Injection |
| T1665 | Hide Infrastructure |
| T1666 | Modify Cloud Resource Hierarchy |